[tor-talk] SSH connection attempts through hidden service
s7r at sky-ip.org
Tue Aug 11 14:27:10 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
When you have a SSH port open to the clearnet (especially if listening
on default port, 22) you get quite an amount of such failed automated
requests. Nothing to worry about here, really, if you don't use a dumb
root password which could be included in most of dictionaries. I
strongly recommend you to disable password authentication and only
allow ssh-key based authentication in sshd_config.
This is not a defect in Tor or in SSH. It's just how things work in
the wild - secure your server!
It doesn't matter you didn't share your onion hostname; it is
available and known to the HSDirs.
You can use this feature in torrc at server side (add it under
HiddenServiceAuthorizeClient basic <client name>
Tor will generate a passphrase, you can find it out from the
client_keys file created in the directory where you have your
private_key and hostname (HiddenServiceDir).
This will encrypt the descriptors published by your hidden service, so
only clients who provide the correct passphrase will be able to connect.
An additional line in torrc at client's side is needed to provide the
HidServAuth <hostname.onion> <passphrase> <optional service description>
If there are multiple users who need to connect to this hidden
service, you can add more HiddenServiceAuthorizeClient lines, for as
many users as you have - this way if you want to remove access just to
one user, you can delete the HiddenServiceAuthorizeClient line related
to his username and that passphrase won't work any more. The same
passphrase will work from multiple places (multiple clients) at the
On 8/11/2015 3:55 AM, Jens Kubieziel wrote:
> I'm running a SSH hidden service on some machines. Recently I was
> quite surprised to find the following lines in my logs:
> Aug 5 17:06:37 linux sshd: input_userauth_request: invalid
> user root [preauth] Aug 5 17:06:51 linux sshd:
> Disconnecting: Too many authentication failures for root [preauth]
> Nobody besides me knowns the onion name. But the person who ran
> those tests tried user names like tor, hidden etc.
> Has anyone also seen such connection attempts through hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
-----END PGP SIGNATURE-----
More information about the tor-talk